You can create it as indicated above in my screenshot.
Anyway I am not sure if this will help a lot. Generally I would recommend to completely block access to the categories "Malicious Websites" and "Malivious Downloads", so not only deny access to executables but to everything that is malicious.
Probably it would make sense to validate that your policy is correct and strict enough to avoid infections. I don't think adding that single rule above will help, you should ensure that all the important components work e.g. SSL Scanner enabled, AV enabled, URL Filter enabled and blocking access to malicious categories, etc. As I don't know your policy it is hard to make an assumption what changes would have helped in such a case.